Datasette 1.0 alpha series leaks names of databases and tables to unauthenticated users

Main / Datasette 1.0 alpha series leaks names of databases and tables to unauthenticated users

Discription

### Impact

This bug affects Datasette instances running a Datasette 1.0 alpha – 1.0a0, 1.0a1, 1.0a2 or 1.0a3 – in an online accessible location but with authentication enabled using a plugin such as [datasette-auth-passwords](https://datasette.io/plugins/datasette-auth-passwords).

The `/-/api` API explorer endpoint could reveal the names of both databases and tables – but not their contents – to an unauthenticated user.

### Patches

Datasette 1.0a4 has a fix for this issue.

### Workarounds

To work around this issue, block all traffic to the `/-/api` endpoint. This can be done with a proxy such as Apache or NGINX, or by installing the [datasette-block](https://datasette.io/plugins/datasette-block) plugin and adding the following configuration to your `metadata.json` or `metadata.yml` file:

“`json
{
“plugins”: {
“datasette-block”: {
“prefixes”: [“/-/api”]
}
}
}
“`
This will block access to the API explorer but will still allow access to the Datasette read or write JSON APIs, as those use different URL patterns within the Datasette `/database` hierarchy.Read More

References

Back to Main

Subscribe for the latest news: